Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp7901314rwr; Wed, 10 May 2023 14:30:42 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4G/k9B0aeYzWWQqqOfzhdiiJpnA35+614w5ugjCsXMPNjG6MsHN8PNzfg0zXQCDXW5NhkM X-Received: by 2002:a17:90a:d30f:b0:250:4847:8d71 with SMTP id p15-20020a17090ad30f00b0025048478d71mr16984316pju.32.1683754242128; Wed, 10 May 2023 14:30:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683754242; cv=none; d=google.com; s=arc-20160816; b=QkqRkJV91+EI5orcga1Ffl/KKOggSC3OXtxQpzUaX3sOM8CqNQyw0lAuQwkjtamwJu ocbcoWU0/5L2wKitpAQgIy1Ic3LN7EjHrihbtvvjuhBo8dDJX00/Yd2Py1pH2updPCUi FsAQktrs3rBtiSkene0iR92n7oP/ACGsmVp+8nl5+9o/G8X9WAj2iPCZNehmNThAr165 OJT6NJfcHZjaEkTrHYic6nNbkE7nqQfGjn+levhe7twqF6QYnFSsm1FD2Km/K3QW6Idv zcT3LH7wd+cnaX/DFcV4v75DUSpNHEELJ5qSI48DOIgaqt8yFD1WA2Y1sO5QULQrfhX2 rTDA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=Fh63bNXirjYlRC/jjf1XoYxHkBysYc037BusnA4bKgc=; b=H25lpC30LntaM8k8WrRDdsI7d7VDJobWxb2ggeYZ6sRAN1KprxRTsyM5zvdYU6KumR sqZJNq670TvBaSvoI3EklQBkDYJcH2TNB0cHYN4xaWj37wrX4Ark63rVIocPIXt3zpDA HLM2lc/ByRGZ+Deg3yLuJ7ArPjqmnUM3enBx0QyPyd2tD4iD9nlvsvndRHxZ+gbC23Kr aqnynXsp6GpCC/+tkqSu4L5D/1M/HwLGrRPI8mSAwBITuhAme2brbd2amf4ZTyF91elV 1uucYOJlPduxHka1IvGwmG4RNu2gLk2gaUnPGtlGS2B9BJAeovxmxZsXOk1qBNb37v1M CUVw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=qpFq5DN3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l185-20020a6388c2000000b00524fe1e6a48si4687040pgd.440.2023.05.10.14.30.30; Wed, 10 May 2023 14:30:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=qpFq5DN3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236015AbjEJVWt (ORCPT + 99 others); Wed, 10 May 2023 17:22:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39766 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231189AbjEJVWr (ORCPT ); Wed, 10 May 2023 17:22:47 -0400 Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F34CE2704 for ; Wed, 10 May 2023 14:22:43 -0700 (PDT) Received: by mail-pf1-x432.google.com with SMTP id d2e1a72fcca58-643465067d1so5859880b3a.0 for ; Wed, 10 May 2023 14:22:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1683753763; x=1686345763; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Fh63bNXirjYlRC/jjf1XoYxHkBysYc037BusnA4bKgc=; b=qpFq5DN35+iZ3b0ZEsilIjueJskUlMqkFjMdlpH5/bEyxcnD8iSjOShjB4RwIYMmDA U0qcftPEhKVYcefqB6iYXK0jc9GwWazTC+dF+niR9z4xJ8SqKuWhEUDg9MYh0yjfZf4P suO1EjZdNi1pTBkecVsut9ZRb8gv/BDyJNkR8glJC2zWC7xlygGf8om6OVeipxO2T/+h rpf7sgoMSFKSWFGMYV7KdOkWMg+AMmQ3jb41XT+2tyBBj5j39bVbIMWAdPrMZOXcgG8c P2tzR1xJk/YPsfPucN49M9FgQvlJE1NhIzmvkbQh5jfs4eS7EodT3opF+uSjA8qL4TeM HpQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683753763; x=1686345763; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Fh63bNXirjYlRC/jjf1XoYxHkBysYc037BusnA4bKgc=; b=EYZ2xlNdH4KWA+rLQWs/+QFYadY4fB96iB9tb3ZZVRYITSUyVIdY4q1XfSsCCb/SWr SQyAEyCt3D95nif1I5769BYbHeNfr/b89F6DXqxJ30K9PhNtJsA0xJbqu+O//2vi+4RA vmL/FJJ5cDtsyWgAQU8LQTsJKJ25OUoGkOn/imXBkNbMrQcVMpUXqTIJeVOIKUi3Ogqx UndeOoGFuHwIGW+/v6KsAwlA8nB0qpJaPoqJ6ufxU0wn2jMDGE2ZEtdb9YjTjcbDcMqk QEEqrrXjDK4qh26ff+go7XXyErLH0zX6OioEbSWUpqqB4/Rx3DCMQSM8M2+5I87ddiAa fZQw== X-Gm-Message-State: AC+VfDzt47mMA+w21hB1RF695ORDNHbigif/GuKBJwUEG+cWkfOCgcNO j0Bp1lCw64foWJfdJdIFA2ZdNa5KdEl/tfhlgqjYJQ== X-Received: by 2002:a17:903:1d0:b0:1ac:7624:51d7 with SMTP id e16-20020a17090301d000b001ac762451d7mr12148111plh.69.1683753763223; Wed, 10 May 2023 14:22:43 -0700 (PDT) MIME-Version: 1.0 References: <20230510131527.1244929-1-aleksandr.mikhalitsyn@canonical.com> In-Reply-To: From: Stanislav Fomichev Date: Wed, 10 May 2023 14:22:32 -0700 Message-ID: Subject: Re: [PATCH net-next] sctp: add bpf_bypass_getsockopt proto callback To: Marcelo Ricardo Leitner Cc: Aleksandr Mikhalitsyn , nhorman@tuxdriver.com, davem@davemloft.net, Daniel Borkmann , Christian Brauner , Xin Long , linux-sctp@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 10, 2023 at 8:18=E2=80=AFAM Marcelo Ricardo Leitner wrote: > > On Wed, May 10, 2023 at 04:55:37PM +0200, Aleksandr Mikhalitsyn wrote: > > On Wed, May 10, 2023 at 4:39=E2=80=AFPM Marcelo Ricardo Leitner > > wrote: > > > > > > On Wed, May 10, 2023 at 03:15:27PM +0200, Alexander Mikhalitsyn wrote= : > > > > Add bpf_bypass_getsockopt proto callback and filter out > > > > SCTP_SOCKOPT_PEELOFF and SCTP_SOCKOPT_PEELOFF_FLAGS socket options > > > > from running eBPF hook on them. > > > > > > > > These options do fd_install(), and if BPF_CGROUP_RUN_PROG_GETSOCKOP= T > > > > hook returns an error after success of the original handler > > > > sctp_getsockopt(...), userspace will receive an error from getsocko= pt > > > > syscall and will be not aware that fd was successfully installed in= to fdtable. > > > > > > > > This patch was born as a result of discussion around a new SCM_PIDF= D interface: > > > > https://lore.kernel.org/all/20230413133355.350571-3-aleksandr.mikha= litsyn@canonical.com/ > > > > > > I read some of the emails in there but I don't get why the fd leak is > > > special here. I mean, I get that it leaks, but masking the error > > > return like this can lead to several other problems in the applicatio= n > > > as well. > > > > > > For example, SCTP_SOCKOPT_CONNECTX3 will trigger a connect(). If it > > > failed, and the hook returns success, the user app will at least log = a > > > wrong "connection successful". > > > > > > If the hook can't be responsible for cleaning up before returning a > > > different value, then maybe we want to extend the list of sockopts in > > > here. AFAICT these would be the 3 most critical sockopts. > > > > > > > Dear Marcelo, > > Hello! > > > > > Thanks for pointing this out. Initially this problem was discovered by > > Christian Brauner and for SO_PEERPIDFD (a new SOL_SOCKET option that > > we want to add), > > after this I decided to check if we do fd_install in any other socket > > options in the kernel and found that we have 2 cases in SCTP. It was > > an accidental finding. :) > > > > So, this patch isn't specific to fd_install things and probably we > > should filter out bpf hook from being called for other socket options > > as well. > > Understood. > > > > > So, I need to filter out SCTP_SOCKOPT_CONNECTX3 and > > SCTP_SOCKOPT_PEELOFF* for SCTP, right? > > Gotta say, it seems weird that it will filter out some of the most > important sockopts. But I'm not acquainted to bpf hooks so I won't > question (much? :) ) that. Thanks for raising this. Alexander, maybe you can respin your v2 to include these as well? > Considering that filtering is needed, then yes, on getsock those are > ones I'm seeing that needs filtering. Otherwise they will either > trigger leakage or will confuse the application. [..] > Should we care about setsock as well? We have SCTP_SOCKOPT_CONNECTX > and SCTP_SOCKOPT_CONNECTX_OLD in there, and well, I guess any of those > would misbehave if they failed and yet the hook returns success. For setsockopt, the bpf program runs before the kernel, so setsockopt shouldn't have those issues we're observing with getsockopt (which runs after the kernel and has an option to ignore kernel value). > Thanks, > Marcelo